ExpressVPN has removed the split tunneling feature from the latest version of its software after discovering a bug that exposed the domains visited by users. The bug affected versions of ExpressVPN for Windows 12.23.1 – 12.72.0 released between May 19, 2022, and February 7, 2024, and only impacted users utilizing the split tunneling feature.
Split tunneling allows users to selectively route some internet traffic through the VPN tunnel, providing flexibility for those who need simultaneous local and secure remote access.
The bug in this feature caused users’ DNS queries to be directed to their internet service provider (ISP) instead of ExpressVPN’s infrastructure as they should be. Typically, all DNS queries are performed through ExpressVPN’s logless DNS server to prevent tracking of the domains visited by the user by the ISP and other organizations.
However, this bug resulted in some DNS queries being sent to the user’s configured DNS server on their device, usually the ISP’s server, allowing the ISP to track the user’s browsing habits.
A DNS query leak like this, exposed by ExpressVPN, means that Windows users utilizing the split tunneling feature potentially expose their browsing history to third parties, breaking the fundamental promises of VPN products.
“When a user is connected to ExpressVPN, their DNS queries should be sent to the ExpressVPN server,” explains the provider’s announcement.
“But the bug allowed some of these queries to reach a server from another company, which in most cases would be the user’s ISP.”
“This allows the service provider to see which domains the user visits, such as google.com, although the service provider still cannot see any individual webpages, searches, or other online activities.”
“All content of the user’s online traffic remains encrypted and unreadable by the ISP or any other third party.”
The issue was discovered and reported to the provider by Attila Tomaschek from CNET, and it only occurs when split tunneling mode is enabled.
ExpressVPN claims that the problem affected only about 1% of Windows users and the company was able to reproduce the bug only in split-tunneling mode “Only selected apps have VPN access”.
Users of ExpressVPN on Windows versions 12.23.1 through 12.72.0 should update their software to the latest version, 12.73.0.
The latest version removes the split tunneling feature. However, ExpressVPN has announced that they will reintroduce it in a future release once the bug is fixed.
If updating is not possible, disabling split tunneling should be sufficient to prevent DNS query leaks, as the bug could not be reproduced in other modes.
If split tunneling is necessary, ExpressVPN recommends downloading and using version 10, which is not affected by this bug.
FAQ Section
The source of the article is from the blog motopaddock.nl